Risk Assessment

The Risk Assessment module can help mitigate your company's cyber risk and also align third-parties with your security controls, regulations, and risk tolerance.

The Risk Assessment module provides risk reports from a vendor that specializes in assessing companies by non-intrusively evaluating the third parties’ attack surface. Hundreds of tests are performed, such as collecting information on exposed assets and evaluating security practices.

The assessment is usually completed within 12-72 hours. at which point, an email is sent to notify about the completion.

The following diagram illustrates the Risk Assessment page: temporary placeholder Each assessed company is given a Cyber Posture Rating that represents the risk level attributed to its external digital perimeter. In addition, the assessment includes a Report and Findings. For more information, see View assessed companies.

Assess a company

Before you begin, ensure that:

  • You have a subscription to the Threat Command Threat Third Party module with rights to create an assessment.
  • You have at least one assessment license that can be used. To purchase additional licenses, click Get more under the license counter.

To assess a company:

  1. From the Threat Command main menu, select Threat Third Party.
    The Risk Assessment page is displayed.
  2. Click +.
  3. In the New Assessment Report Request  dialog box, type the company name or domain to assess.
    The specified name or domain is searched for.
  4. If the company is found (its name is displayed), do the following:
    1. Select the company.
      In this example. "ACME" is used to represent an imaginary company.
      temporary placeholder
    2. (Optional) You can add additional email recipients to receive the report when it is complete.
    3. (Optional) You can add additional domains  subdomains, and IP addresses of the same company.
      In all cases, TTP discovers assets relevant to the assessed company. These assets are used during the assessment process.
    4. Click Create.
    5. Skip the next step.
  5. If the company is not found, do the following:
    1. Click Create new company.
    2. Enter details for the new company.
      temporary placeholder
    3. (Optional) You can add additional email recipients to receive the report when it is complete.
    4. (Optional) You can add additional domains of the same company.
    5. Click Create.
      Assessments for companies not found can begin only after a Rapid7 representative approves the company. This process can take up to two business days.

Before begining the external assessment tests, we identify every publicly accessible asset linked to the evaluated company. Asset discovery is done automatically by our vendor, requiring only a single asset to get started. Usually, the primary domain of a company is used as a starting point for discovering all of the company’s attack surface, including domains, subdomains, and IP addresses.

To prevent false positives, each asset goes is vetted to determine if it should be attached to the company. That said, it is expected to have a certain rate of false positives.

To assess a company that was already assessed:

  • Hover your pointer over the company assessment line in the main table, then click +temporary placeholder

View assessed companies

You can view assessed companies from the Risk Assessment page:

temporary placeholder

Each line represents a company for which an assessment has been requested. The status changes from In Progress to Completed when the reports are ready. The following sections describe the company assessments.

Cyber posture rating

This rating represents a security assessment of the company’s public-facing digital footprint to evaluate the risk level associated with your third parties. The analysis non-intrusively evaluates the third-party attack surface through the analysis of externally available data. To ensure a comprehensive view of your third parties' digital perimeter, hundreds of tests are performed, such as collecting information on exposed assets or a lack of security best practices.

Tests are performed to assess these layers:

  • Network & IT - Web, e-mail, and DNS servers, TLS protocols, asset reputation, cloud solutions, and other exposed services.
  • Application - Web applications, CMS, domain attacks, etc.
  • Human - Employee attack surface, social posture, presence of a dedicated security team, etc.

The company Cyber Posture Rating represents a calculated average of ratings for each layer of the assessed digital perimeter. The 0-100 rating represents a security assessment of the company’s public-facing digital footprint to evaluate the risk level associated with your third parties.

Assessment report

From the Report column, you can download a PDF report with the following sections:

  • The company overview.
  • The Cyber Posture rating.
  • The tested categories.
  • A comparison of the company’s rating with the industry.
  • Dark web mentions trend.
  • The results of the tested assets agains the categories.

Assessment findings

From the Findings column, you can download a CSV file that includes a detailed explanation of found issues stated in the report, including the found assess and the issue associated with that asset.

Export details of assessed companies

You can export the details in the assessment table so you can share it easier with executives and other interested parties.

To export the assessed company details:

  1. From the Risk Assessment page, click Export CSV.
    The filters applied to the Risk Assessment page are applied to the export operation.
  2. In the Column selection and order section, select which columns to export and in which order.
  3. Click Download CSV.

The report is entitled Rapid7 Risk Assessments.csv